Hi Peter, > I have had a number of reports of messages targetting users on domains > for their credentials. > The interesting part of this message is the very basic but effective > encoding of the message. It appears that there are a couple of > characters that instruct the mail program to display the characters in > the reverse order.
Yep, this has been going on for a week or so. We have blocked many copies at our gateway service. > An example is attached. This appears to be random in the characters > reversed based on a number of examples forwarded. > I would say this is a simple yet effective way of bypassing signature > based filters. Indeed. > They also appear to be bouncing through Google to the compromised > website for phishing credentials. I am guessing it is phishing as the > websites that I have seen were unavailable at the time. Yes, it uses a google redirector and a encoding scheme in order to slip past filters. If clicked, it will post data to a remote cgi script "poch.cgi" in a small window. The domain where the cgi script is hosted changes, but "stand_artza._com" is the most popular. The poch.cgi returns the following code: <S_CRIPT> window.close(); </S_CRIPT> This is not phishing. My guess is this is data collection. The purpose is likely to collect IP addresses, domainname, date, time etc. What this information is used for, we can only speculate, but it could be some sort of seeding vector calculator. Regards Peter Kruse _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/